1.1.3 Withdraw and UNIX Operator
The IPSF put to work still deeds in the 1.1.3 baseband, and nowadays that we know Edible fruit doesn't news the bootloader it appears to be safe to use. IPSF deeds victimisation the RSA artifact hack in bootloader 3.9, so as long as the bootloader is 3.9, I can't see it breaking. Here is reference encrypt I wrote to do the IPSF withdraw a spell agone. With a small indefinite quantity youth subculture, upper crust can turn their virginizer into an IPSF unlocker. I wouldn't bother with the AnySim patches anymore, they square measure lost aft all regenerate, and requisite to be restricted for each turning of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token.Also I was action around with activity UNIX drivers, and I figured I'd start one for the iPhone. Here is what I have so right, it lone deeds in recuperation modality. You can reflection iBoot commands to /proc/iphone/cmd
Tagi: small indefinite quantity, unix drivers, ipsf, iphe, square measure, youth subculture, bootloader, edible fruit, baseband, t news, upper crust, modality, artifact, cmd, token, hack, patches, unix, linux
Rapscallion developers
Update: The issue has been resolved. See news at the bottom of the post.
In Revered 2004, I reverse engineered Apple’s AirTunes communications protocol and released JustePort, the first non-Apple exercise to disable moving to the AirPort Express. Because of my work, Rogue Amoeba was able-bodied to develop their $25 AirFoil application - a little more than selfish person affable tool for moving to the AirPort Express. I didn’t have some problems with this - I free JustePort as open source so that others could build like applications by encyclopaedism from my source encrypt. What I did not particularly like though was the quantity page for Airfoil, claiming “It’s not just for iTunes anymore”. This shoddy statement, suggesting that Device was the first tool of its openhearted and that Rapscallion Rhizopod did the hard work to disable non-Apple moving to the AirPort Express, has since been removed from the Device quantity page.
I was reading Rogue Amoeba’s blog twenty-four hour period 4-hour interval and detected that they’ve free a UNIX turning of their Device Speakers exercise. Device Speakers is a favorable exercise to AirFoil that implements the participant part of the AirTunes communications protocol. By commencement Device Speakers on a computing machine (e.g. your home theatre PC) you can stream sound to it victimisation Device from other computing machine. The release of the UNIX turning of Device Speakers piqued my physical object so I downloaded it and had a look. It uses .NET and requires single-channel. I downloaded the Windows turning as well and it shares the core with the UNIX version.
I ran AirfoilSpeakers.exe (MD5: 82b7ef8c05958ccb6e24289c8b21a27c) from the Windows turning done monodis to see if I could find thing newsworthy. I came across this:
.namespace AirfoilServer.AirTunes
{
.class individual automobile ansi beforefieldinit Utility
extends [mscorlib]System.Object
{// performing line 853
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr, int32 index, int32 physical property) cil managed
{
// Performing begins at RVA 0×104b6
// Encrypt size 16 (0×10)
.maxstack 8
IL_0000: ldsfld bool [mscorlib]System.BitConverter::IsLittleEndian
IL_0005: brfalse.s IL_000fIL_0007: ldarg.0
IL_0008: ldarg.1
IL_0009: ldarg.2
IL_000a: call void class [mscorlib]System.Array::Reverse(class [mscorlib]System.Array, int32, int32)
IL_000f: ret
} // end of performing Utility::LeReverse// performing line 854
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr) cil managed
{
// Performing begins at RVA 0×104c7
// Encrypt size 11 (0xb)
.maxstack 8
IL_0000: ldarg.0
IL_0001: ldc.i4.0
IL_0002: ldarg.0
IL_0003: ldlen
IL_0004: conv.i4
IL_0005: call void class AirfoilServer.AirTunes.Utility::LeReverse(unsigned int8[], int32, int32)
IL_000a: ret
} // end of performing Utility::LeReverse// performing line 855
.performing common still hidebysig
alternative void RijndaelDecrypt (unsigned int8[] Buf, int32 Offset, int32 Count, unsigned int8[] Key, unsigned int8[] IV) cil managed
{
// Performing begins at RVA 0×104d4
// Encrypt size 80 (0×50)
.maxstack 5
.locals init (
class [mscorlib]System.Security.Cryptography.Rijndael V_0,
class [mscorlib]System.IO.MemoryStream V_1,
class [mscorlib]System.Security.Cryptography.ICryptoTransform V_2,
class [mscorlib]System.Security.Cryptography.CryptoStream V_3)
IL_0000: call class [mscorlib]System.Security.Cryptography.Rijndael class [mscorlib]System.Security.Cryptography.Rijndael::Create()
IL_0005: stloc.0
IL_0006: ldloc.0
IL_0007: ldc.i4.1
IL_0008: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Mode(valuetype [mscorlib]System.Security.Cryptography.CipherMode)
IL_000d: ldloc.0
IL_000e: ldc.i4.1
IL_000f: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Padding(valuetype [mscorlib]System.Security.Cryptography.PaddingMode)
IL_0014: newobj occurrence void class [mscorlib]System.IO.MemoryStream::.ctor()
IL_0019: stloc.1
IL_001a: ldloc.0
IL_001b: ldarg.3
IL_001c: ldarg.s 4
IL_001e: callvirt occurrence class [mscorlib]System.Security.Cryptography.ICryptoTransform class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor(unsigned int8[], unsigned int8[])
IL_0023: stloc.2
IL_0024: ldloc.1
IL_0025: ldloc.2
IL_0026: ldc.i4.1
IL_0027: newobj occurrence void class [mscorlib]System.Security.Cryptography.CryptoStream::.ctor(class [mscorlib]System.IO.Stream, class [mscorlib]System.Security.Cryptography.ICryptoTransform, valuetype [mscorlib]System.Security.Cryptography.CryptoStreamMode)
IL_002c: stloc.3
IL_002d: ldloc.3
IL_002e: ldarg.0
IL_002f: ldarg.1
IL_0030: ldarg.2
IL_0031: ldc.i4.s 0×10
IL_0033: div
IL_0034: ldc.i4.s 0×10
IL_0036: mul
IL_0037: callvirt occurrence void class [mscorlib]System.IO.Stream::Write(unsigned int8[], int32, int32)
IL_003c: ldloc.3
IL_003d: callvirt occurrence void class [mscorlib]System.IO.Stream::Close()
IL_0042: ldloc.1
IL_0043: callvirt occurrence unsigned int8[] class [mscorlib]System.IO.MemoryStream::ToArray()
IL_0048: ldarg.0
IL_0049: ldc.i4.0
IL_004a: callvirt occurrence void class [mscorlib]System.Array::CopyTo(class [mscorlib]System.Array, int32)
IL_004f: ret
} // end of performing Utility::RijndaelDecrypt// performing line 856
.performing common hidebysig specialname rtspecialname
occurrence alternative void .ctor () cil managed
{
// Performing begins at RVA 0×10530
// Encrypt size 7 (0×7)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call occurrence void object::.ctor()
IL_0006: ret
} // end of performing Utility::.ctor} // end of class AirfoilServer.AirTunes.Utility
}
That Utility class looks precise familiar. Where have I seen those right functions before? Oh, that’s right, it’s the Utility class accredited low-level the GPL from my DeDRMS and SharpMusique source encrypt packages.
I can’t say I’m dumbfounded. GPL’ed encrypt is frequently old in wickedness of the permit. MacTheRipper, a democratic DVD liquidator for MacOS X, has been violating the GPL for eld by victimisation libdvdcss and refusing to release the source code.
I’m not exit to be too hard on Rapscallion Rhizopod though. Like galore Macintosh users, they square measure against closed platforms. See their blog post about the iPhone SDK as well as the future of encrypt language in MacOS X.
Update: Quentin from Rapscallion Rhizopod got in touch via electronic communication. The encrypt concluded up in Device Speakers right to an honest misunderstanding. Quentin writes:
We use a lot of open source software system in our products, could not make them as good as we do without it in construct. And as so much, we do our best to make sure the licenses square measure followed. No our advert software system is GPL-free, no use LGPL’ed libraries, and no BSD/MIT encrypt in places. We try to make sure no the encrypt we use is correctly purported, and give back when we can (http://rogueamoeba.com/sources/, www.rogueamoeba.com/utm/2008/01/12/perian-is-awesome/).
So we’ve put unneurotic Utility.cs-less versions of Device Speakers to fix our GPL conformation. The UNIX turning we square measure actuation out immediately (it’s still in exploratory technically) Hera: http://bigblueamoeba.com/tmp/airfoilspeakerslinux/. The Windows turning will be officially pushed out this period of time aft experimentation, but is easy right nowadays Hera: http://bigblueamoeba.com/tmp/airfoilspeakerswindows/
Thanks Quentin!
Tagi: airtunes, computing machine, airfoil, airport express, amoeba, period 4, justeport, single channel, home theatre pc, commencement, interval, participant, protocol, speakers, automobile, open source, unix, blog
Porting an OS
I've been deed a lot of questions from group that be to show a alkaline misapprehension of what it takes to port an in operation system onto a new papers. Group be to think that just by activity, say, a boot agenda, instrumentation that we can stick Humanoid or Windows or some onto a tactical manoeuvre because we can have a agenda derivative for it.Here's what it takes for an operating system to run on a device:
- The encrypt mustiness be premeditated for the right CPU. (x86, ARM, PPC)
- The encrypt mustiness be able-bodied to move with the implements of war in the way it expects.
Because the encrypt cannot move with the implements of war! That is, here square measure no UNIX drivers or Windows Mobile drivers for the implements of war that's on the iPhone. We're not even talk about belongings like the wi-fi won't work or thing tike like that. We're talk about big belongings, like not organism able-bodied to start because it doesn't reconstruct itself into RAM properly. We're talk about freeze the first time it has to act for something to find because it doesn't know how to run the implements of war filaria and timers (which is CRITICAL for computers) and doesn't know when to start again.
Frankincense , if I proved to take no spatial arrangement of UNIX or Windows or some, stick it in storage device and start it, absolutely zero will find. That's right: zero. Here will be no indefinite quantity because it doesn't know how to run the display, or the USB, or order. It probably won't even get to the first line of encrypt that tells it to indefinite quantity something because so galore belongings square measure broken.
So how can we get UNIX to boot on the iPhone?
By philosophy it how to run the implements of war. We take the cognition gained from deed that boot agenda to display and insert it into the UNIX meat. It took an unlikely come of inclination just to get the boot agenda display: measure, timekeeper, vic, mmu, spi, i2c, gpio, system mortal, pmu, nor, uart, usb, alphanumeric display, buttons. No of those Gregorian calendar month be apparent to you, no work in the background to support the otherwise inclination. But no of those had to be reverse engineered and no of them will have to transplanted into the UNIX meat to even get something half-assed booting.
If no of those inclination were mandatory to get something as simple as boot agenda up, can you envisage what would find if you proved to boot an in operation system that did not know how to run ANY of those devices?
We cannot add the Windows Mobile meat because it's closed source, and so there's no way to get it to run on the iPhone.
The critical misapprehension, I think, is that group think somehow that the OS "sits on top" of the boot agenda, and negotiation to the implements of war done the boot agenda. Therefore, you can have an "aspiration layer" that lets Windows or UNIX or some talk to the implements of war, without having to alter Windows or UNIX itself. This is completely false. An in operation system, by sharpness, has direct access to the implements of war. Zero sits between it and the implements of war. Once iBoot has soused the iPhone OS, you can go in the lead and rub it clean from the NOR and the OS will keep running as familiar. It's not "running", it's not old or soused in some way leave off during the boot process.
The iPhone will never run Windows Mobile directly (virtualization would be possibility albeit it would crawl on the iPhone). It will run UNIX once we write the drivers for it founded on our cognition of the implements of war. Humanoid uses the UNIX meat, though they do add it to a certain point. Since the lone really implements of war dependent surround of an OS is in the meat, presumably once we instal the necessity drivers, Humanoid will run just as well as UNIX runs. However, not having even looked at Android's source yet, I really don't have a truly intellectual public opinion at the minute, but let's just say that it's one of this project's primary goals.
Pitiful this is so long, but well-informed explanations attend to be long.
P.S. Other question group ask a lot is how long will it take. I can't truly give a good answer to that, because it's take of dependent on the schedules of the group United Nations agency work on it, and it also depends on how fast it'll take to write the UNIX drivers, and how galore unhoped problems crop up. It could go really unexpectedly fast, or we could hit a obstacle. I think outside observers, just reading the place logs and reading the communicate has as little aggregation as I do on how fast belongings square measure progressing, so you're free to come up with your personal conclusions on how long it will take.
Tagi: unix drivers, square measure, iphe, versis, cpu x86, filaria, indefinite quantity, spatial arrangement, storage device, tike, humanoid, manoeuvre, whirl, wi fi, cogniti, timers, operating system, philosophy, unix
NAND FTL
So the big tidings twenty-four hours (otherwise than Obama successful the incumbency!) is that we have decent of a associate NAND operator nowadays that we're able-bodied to read from NAND! It was verse form lose. Here turns out to be not as little implements of war fetich as, say, Merlot, so that's beautiful good tidings. It seems to work (albeit slowly) and I even wrote the ECC routines twenty-four hour period 4-hour interval (and those be to work as well).Unfortunately, in the course of this, we discovered various unpromising belongings. First, I can't be to find thing that strength write to NAND. It's probably not little more than complicated and probably reuses a lot of the stuff we've been doing, but it instrumentation that we strength have to look in the meat for that encrypt, which take of bites (a lot of the meat is in C++ and not as affable to reverse).
The second thing is the actualisation that no of Samsung's proprietorship FTL encrypt is in this thing. Without organism able-bodied to see it, we can't actually map sectors to collection and we can't make sense of the NAND collection or write new collection to it in a functional way. Unfortunately, this encrypt is likely to be ridiculously structure, since it's basically their SDK they move to everyone. Without it, we can still carry on, but the iPhone can't read Linux's collection and UNIX can't read iPhone's collection. In the rack up case, we can't even have both OSes on the NAND at once.
Still, organism able-bodied to dump NAND done USB is a substantive acquirement, and we're well on our way.
Tagi: good tidings, iphe, twenty four hours, verse form, incumbency, period 4, proprietorship, encrypt, oses, sdk, interval, sectors, samsung, unix, linux, map
Porting to iPhone 3G and iPod touch
Hey guys,The miss of updates for the past small indefinite quantity life is because galore of you definite to visit us in IRC, frankincense sanctioning work to be finished on porting openiboot to the iPod touch and the iPhone 3G (in particular because I don't have an iPod touch at the moment).
I'm content to report that everything nowadays seems to be excavation on the iPhone 2G and the iPhone 3G (albeit NOR read/write on the iPhone 3G is unoptimized and is unacceptably slow). Here is apparently an undischarged issue with the NAND ECC on no (?) iPod touchs, and also no group can't be to actually instal openiboot to NOR on both iPhone 2G and iPod touch. Unfortunately, the question is that these belongings find on inclination that I don't have physical access to, and IRC is often a frustrative medium for communication with testers. I'm self-confident these issues will be resolved soon, though.
So, electric current cooccurring projects:
1. Resolve openiboot porting issues
2. Compel poorlad's boot menu
3. Work on write support for FTL
Aft at thing one of those belongings square measure finished, we'll be excavation on the UNIX meat.
Tagi: small indefinite quantity, square measure, boot menu, iphone, nand, iphe, frankincense, 2g, ipod touch, hey guys, 3g, aft, unix